Risk Management The Big Picture – Part 2

If attackers are going to take advantage of vulnerabilities, it makes sense that we need to find thembefore they do. System, network, and telephone vulnerability scanning tools are a powerful methodof doing this.Lets take a look at another Internet threat. This is the threat introduced by users who download and run utilities thatare designed to share and search for files across the Internet. Examples are the programs Napster, Gnutella, and morerecently Scour. In the next two slides we’ll examine Gnutella, its function, and the dangers it introduces....
Nội dung trích xuất từ tài liệu:
Risk Management The Big Picture – Part 2 Risk Management The Big Picture – Part 2 Going Around the Firewall and Scanning for Vulnerabilities Information Risk Management- SANS ©2001 1If attackers are going to take advantage of vulnerabilities, it makes sense that we need to find thembefore they do. System, network, and telephone vulnerability scanning tools are a powerful methodof doing this. 2-1 Gnutella • Designed for peer-to-peer file sharing on the Internet • Introduces security weaknesses – Hole in a firewall – Users give away network information – A possible annoyance or DDOS tool Information Risk Management - SANS ©2001 2 Lets take a look at another Internet threat. This is the threat introduced by users who download and run utilities thatare designed to share and search for files across the Internet. Examples are the programs Napster, Gnutella, and morerecently Scour. In the next two slides we’ll examine Gnutella, its function, and the dangers it introduces. Gnutella is an Internet file sharing utility. Described as a “servant”, Gnutella acts as a server for sharing fileswhile simultaneously acting as a client that searches for and downloads files from other users. The Gnutella net is peer-to-peer with interconnected servants that search and relay one another to make file sharingand storage truly distributed. When searching for a file, the Gnutella service will search hosts that you are connected to,and hosts they are connected to, and so on. Once the file is found, a download can be initiated with a TCP connectiondirectly between the ‘client’ and ‘server’. Gnutella was designed to enhance free, easy, and anonymous exchange of information. However, there is a darkside - the distributed nature of the Gnutella net combined with the Gnutella net protocol introduces security weaknesses forGnutella users. A prime concern is that Gnutella users situated behind firewalls open a hole in their firewall when theyconnect to an external Gnutella net. The way this works is covered in the next slide. Traces taken from a Gnutella user’s machine show that when searching, requesting a download, or ‘pinging’ forother Gnutella hosts, the user gives away a combination of information including an IP address within a network, a half-open connection and/or a known set of SEQ and ACK numbers, and a MAC address. Although security is not achievablemerely through obscurity, it is certainly better to not openly offer this information to anyone on the Internet! In order to handle Network Address Translation (NAT), the Gnutella design incorporates the ability to spoof portsand IP addresses. Unfortunately, this means that an unwitting host may be targeted by many simultaneous SYN requestsfrom hosts on the Gnutella net who are attempting to grab the files that the spoofed host is apparently offering. One more thing - with the current increasing use of Gnutella, and the number of Gnutella versions and downloadsavailable, perhaps it is only a matter of time before someone discovers that there’s more to their executable than theyoriginally thought. Is there a better way to distribute a Trojan, than to take advantage of a pool of users eager to downloadand run the Gnutella binary? 2-2 Gnutella - Firewall Subversion 1 Gnutella Net F I B 2 F I R R E E A W A W 1 A A L 2 L 3 L C L C 1. A and B set up Gnutella Net 1. C connects to Gnutella Net 2. Firewall denies inbound 2. C’s request ...